fix: ldap issues

logic fixed for updating user created by external auth provider
remove internal from AuthProviderType
replace AUTH_MECHANISM with AUTH_PROVIDERS

api/.env.example

@@ -14,7 +14,7 @@ HELMET_COEP=[true|false] if omitted HELMET default will be used
 
 DB_CONNECT=mongodb+srv://<DB_USERNAME>:<DB_PASSWORD>@<CLUSTER>/<DB_NAME>?retryWrites=true&w=majority
 
-AUTH_PROVIDERS=[ldap|internal] default considered as internal
+AUTH_PROVIDERS=[ldap]
 
 LDAP_URL= <LDAP_SERVER_URL>
 LDAP_BIND_DN= <cn=admin,ou=system,dc=cloudron>

api/src/controllers/group.ts

@@ -251,7 +251,7 @@ const updateUsersListInGroup = async (
       message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
     }
 
-  if (group.authProvider !== AuthProviderType.Internal)
+  if (group.authProvider)
     throw {
       code: 405,
       status: 'Method Not Allowed',
@@ -266,7 +266,7 @@ const updateUsersListInGroup = async (
       message: 'User not found.'
     }
 
-  if (user.authProvider !== AuthProviderType.Internal)
+  if (user.authProvider)
     throw {
       code: 405,
       status: 'Method Not Allowed',

api/src/controllers/user.ts

@@ -299,14 +299,19 @@ const updateUser = async (
 
   const user = await User.findOne(findBy)
 
-  if (
+  if (username && username !== user?.username && user?.authProvider) {
-    user?.authProvider !== AuthProviderType.Internal &&
-    (username !== user?.username || displayName !== user?.displayName)
-  ) {
     throw {
       code: 405,
       message:
-        'Can not update username and display name of user that is created by an external auth provider.'
+        'Can not update username of user that is created by an external auth provider.'
+    }
+  }
+
+  if (displayName && displayName !== user?.displayName && user?.authProvider) {
+    throw {
+      code: 405,
+      message:
+        'Can not update display name of user that is created by an external auth provider.'
     }
   }
 

api/src/model/Group.ts

@@ -50,8 +50,7 @@ const groupSchema = new Schema<IGroupDocument>({
   },
   authProvider: {
     type: String,
-    enum: AuthProviderType,
+    enum: AuthProviderType
-    default: 'internal'
   },
   isActive: {
     type: Boolean,

api/src/model/User.ts

@@ -71,8 +71,7 @@ const userSchema = new Schema<IUserDocument>({
   },
   authProvider: {
     type: String,
-    enum: AuthProviderType,
+    enum: AuthProviderType
-    default: 'internal'
   },
   isAdmin: {
     type: Boolean,

api/src/utils/verifyEnvVariables.ts

@@ -9,8 +9,7 @@ export enum ModeType {
 }
 
 export enum AuthProviderType {
-  LDAP = 'ldap',
+  LDAP = 'ldap'
-  Internal = 'internal'
 }
 
 export enum ProtocolType {
@@ -111,7 +110,7 @@ const verifyMODE = (): string[] => {
   }
 
   if (process.env.MODE === ModeType.Server) {
-    const { DB_CONNECT, AUTH_MECHANISM } = process.env
+    const { DB_CONNECT, AUTH_PROVIDERS } = process.env
 
     if (process.env.NODE_ENV !== 'test') {
       if (!DB_CONNECT)
@@ -119,14 +118,12 @@ const verifyMODE = (): string[] => {
           `- DB_CONNECT is required for PROTOCOL '${ModeType.Server}'`
         )
 
-      if (AUTH_MECHANISM) {
+      if (AUTH_PROVIDERS) {
-        const authMechanismTypes = Object.values(AuthProviderType)
+        const authProvidersType = Object.values(AuthProviderType)
-        if (!authMechanismTypes.includes(AUTH_MECHANISM as AuthProviderType))
+        if (!authProvidersType.includes(AUTH_PROVIDERS as AuthProviderType))
           errors.push(
-            `- AUTH_MECHANISM '${AUTH_MECHANISM}'\n - valid options ${authMechanismTypes}`
+            `- AUTH_PROVIDERS '${AUTH_PROVIDERS}'\n - valid options ${authProvidersType}`
           )
-      } else {
-        process.env.AUTH_MECHANISM = DEFAULTS.AUTH_MECHANISM
       }
     }
   }
@@ -307,37 +304,37 @@ const verifyLDAPVariables = () => {
     LDAP_USERS_BASE_DN,
     LDAP_GROUPS_BASE_DN,
     MODE,
-    AUTH_MECHANISM
+    AUTH_PROVIDERS
   } = process.env
 
-  if (MODE === ModeType.Server && AUTH_MECHANISM === AuthProviderType.LDAP) {
+  if (MODE === ModeType.Server && AUTH_PROVIDERS === AuthProviderType.LDAP) {
     if (!LDAP_URL) {
       errors.push(
-        `- LDAP_URL is required for AUTH_MECHANISM '${AuthProviderType.LDAP}'`
+        `- LDAP_URL is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
       )
     }
 
     if (!LDAP_BIND_DN) {
       errors.push(
-        `- LDAP_BIND_DN is required for AUTH_MECHANISM '${AuthProviderType.LDAP}'`
+        `- LDAP_BIND_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
       )
     }
 
     if (!LDAP_BIND_PASSWORD) {
       errors.push(
-        `- LDAP_BIND_PASSWORD is required for AUTH_MECHANISM '${AuthProviderType.LDAP}'`
+        `- LDAP_BIND_PASSWORD is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
       )
     }
 
     if (!LDAP_USERS_BASE_DN) {
       errors.push(
-        `- LDAP_USERS_BASE_DN is required for AUTH_MECHANISM '${AuthProviderType.LDAP}'`
+        `- LDAP_USERS_BASE_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
       )
     }
 
     if (!LDAP_GROUPS_BASE_DN) {
       errors.push(
-        `- LDAP_GROUPS_BASE_DN is required for AUTH_MECHANISM '${AuthProviderType.LDAP}'`
+        `- LDAP_GROUPS_BASE_DN is required for AUTH_PROVIDER '${AuthProviderType.LDAP}'`
       )
     }
   }
@@ -347,7 +344,6 @@ const verifyLDAPVariables = () => {
 
 const DEFAULTS = {
   MODE: ModeType.Desktop,
-  AUTH_MECHANISM: AuthProviderType.Internal,
   PROTOCOL: ProtocolType.HTTP,
   PORT: '5000',
   HELMET_COEP: HelmetCoepType.TRUE,